我们在使用 apache 和 auth_ldap 对抗 AD 时遇到了一个棘手的问题。只有一个用户不被允许登录,尽管它属于允许的组之一,并且允许该组的其他用户登录。
当该用户尝试登录时,他会收到 401 状态代码,并且在 apache 错误日志(在调试模式下)中我们得到:
[Mon Jun 18 13:34:37.699991 2018] [ssl:debug] [pid 7097] ssl_engine_kernel.c(225): [client 10.0.0.1:45287] AH02034: Initial (No.1) HTTPS request received for child 4
(server xxxxxxxxxxxxx.at:80)
[Mon Jun 18 13:34:37.700189 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=
group1,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700201 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=
group2,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700206 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=
group3,OU=zuChecken,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700210 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=
group4,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700214 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=
group5,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700218 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=
group6,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700244 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=
group7,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700248 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=group8,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700252 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group CN=group9,xxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700256 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of Require ldap-group cn=group10,xxxxxxxxxxxxxxxxxxxxxxxxxx,dc=at: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700260 2018] [authz_core:debug] [pid 7097] mod_authz_core.c(809): [client 10.0.0.1:45287] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jun 18 13:34:37.700381 2018] [authnz_ldap:debug] [pid 7097] mod_authnz_ldap.c(501): [client 10.0.0.1:45287] AH01691: auth_ldap authenticate: using URL ldap://xxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxx,dc=at?sAMAccountName
[Mon Jun 18 13:34:37.700522 2018] [ldap:debug] [pid 7097] util_ldap.c(379): AH01278: LDAP: Setting referrals to On.
[Mon Jun 18 13:34:37.953306 2018] [ldap:debug] [pid 7097] util_ldap.c(379): AH01278: LDAP: Setting referrals to On.
[Mon Jun 18 13:34:38.003997 2018] [authnz_ldap:info] [pid 7097] [client 10.0.0.1:45287] AH01695: auth_ldap authenticate: user domain\\username authentication failed; URI / [User not found][No such object]
[Mon Jun 18 13:34:38.004050 2018] [auth_basic:error] [pid 7097] [client 10.0.0.1:45287] AH01618: user domain\\username not found: /
Apache 配置文件如下所示:
Header set Access-Control-Allow-Origin "*"
LogLevel debug
<Location />
AuthName "Login with User"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN "CN=xxxxxxxxxxxxxxxxxx,DC=at"
AuthLDAPBindPassword xxxxxxxxxxxxxx
AuthLDAPURL "ldap://xxxxxxxxxx/xxxxxxxxxxx,dc=at?sAMAccountName"
Require ldap-group CN=group1,xxxxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at
Require ldap-group CN=group2,xxxxxxxxxxxxxxxxxxxxxxxxxxxx,DC=at
Require ldap-group ....
</Location>
正如我所说,所有其他用户都可以工作,但这个用户不行。
因此我进一步对一些用户进行了 ldapquery,计算了 ldap 对象的大小。我得到了以下结果:
for eh in username1 username2 username3 username4 username5; do echo "######### $eh"; ldapsearch -x -h xxxxxxxxxxxxxxxxxx:389 -D "CN=xxxxxxxxxxxxxxxxxx,DC=at" -w 'xxxxxxxxxxxxxxxxxx' -b "xxxxxxxxxxxxxxxxxx" "(sAMAccountName=$eh)"|wc ; done
######### username1
473 778 26675
######### username2
711 1294 40586
######### username3
503 963 25752
######### username4
309 591 15015
######### username5
321 581 16972
有问题的是 username2。这是唯一真正的区别。我必须补充一点,这个用户过去能够登录,但我们实际上不知道发生了什么变化。所以问题是,mod_auth_ldap 是否可能无法处理大于 32KiB 的结果?或者我们还有其他问题?
遗憾的是,没有关于 apaches 新错误编号(如 AH01618 :/)的文档。
我们的系统描述:
# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
# rpm -qa|grep httpd
httpd-2.4.6-67.el7.centos.6.x86_64
httpd-tools-2.4.6-67.el7.centos.6.x86_64
# rpm -qa|grep ldap
sssd-ldap-1.15.2-50.el7_4.8.x86_64
mod_ldap-2.4.6-67.el7.centos.6.x86_64
openldap-2.4.44-5.el7.x86_64
openldap-clients-2.4.44-5.el7.x86_64
python-ldap-2.4.15-2.el7.x86_64
apr-util-ldap-1.5.2-6.el7.x86_64
编辑:我们检查了最大令牌大小,如所述@ms.com并得到受影响用户以下输出:
The computer is Windows Server 2012 R2 and is a member server.
Token Details for user affectedUser
**********************************
User's domain is xxxxxxxx.
Total estimated token size is 7408.
For access to DCs and delegatable resources the total estimated token delegation size is 14816.
Effective MaxTokenSize value is: 48000
Problem not detected.
与另一个(工作)用户相比:
Token Details for user workingUser
**********************************
User's domain is xxxxxxxxxx.
Total estimated token size is 4192.
For access to DCs and delegatable resources the total estimated token delegation size is 8384.
Effective MaxTokenSize value is: 48000
Problem not detected.
答案1
据我所知,MaxTokenSize 仅在涉及 Kerberos 票证时才有意义。但看起来你正在进行纯 LDAP 身份验证。
但是,如果用户是很多组的成员,您可能会在评估组条目时达到 AD 的 LDAP 搜索限制(默认为 1000 个条目)。
我想知道你有多少行表单Require ldap-group
。如果没有那么多自定义过滤器验证LDAPURL使用属性账户名称和成员也许值得尝试一下。